Sophos UTM and PRTG (IPFIX Sensor)

I'm currently working on my private PRTG installation and stumbled across the PRTG IPFIX sensor by chance.

IPFIX is a further development of Cisco Netflow and is also used to collect and visualize traffic data within a network.

Since the Sophos UTM also supports IPFIX, PRTG can receive the IPFIX data and process it graphically. This then looks like this, for example:

The display in PRTG may take some getting used to, but you can quickly see which host is "particularly active". In the example above, the "gray area/host" (also called the daughter's smartphone) is responsible for almost 50% of the data traffic... (In this case, there is a clear need for regulation by an authority)

It is somewhat unfortunate that the colors of the hosts vary depending on the time, so the "grey host" is the pink host a few minutes later:

The color pink fits the daughter's cell phone much better... I'll have to see what she's doing there...

But let's start with the furnishings.

Add PRTG IPFIX sensor

The PRTG IPFIX sensor can be added on a device or on the sample, in this case I added the sensor on the device "Sophos UTM":

The Sophos UTM uses the UDP port 4739 for the IPFIX data, I have initially selected 10 minutes as the value for the time override:

The value for the active flow timeout is definitely relevant and may need to be adapted to your own environment. There is a description here:

• What is the Active Flow Timeout in Flow sensors?

After the PRTG sensor has been created, IPFIX accounting can be activated on the Sophos UTM.

Activate IPFIX on the Sophos UTM

IPFIX is quite hidden, it can be found under "Logs & Reports" in the report settings:

The IPFIX settings can be found at the bottom of the page:

Once IPFIX accounting has been activated and the PRTG server has been specified as the host, the first information will be visible in PRTG after a short time.